Apache Shiro 1.2.0 enhances its password hashing

Just over fourteen months since its first release as an Apache top-level project, the Apache Shiro developers have releasedversion 1.2.0, the first major update to the Shiro application security framework. Shiro is designed to enable Java developers to create enterprise applications with features such as authentication, authorization, enterprise management and cryptography services, without having to use JAAS or EJB security models. One design goal of Shiro was to make the software understandable after a ten minute tutorial.

Image via Wikipedia

The 1.2.0 release includes new features such as the ability to selectively disable sessions and a LogoutFilter for applications which need to redirect users after logging them out. A command line program to securely hash passwords and new secure password hash formats are designed to be easier to work with, while working in a similar fashion to Apache HTTPD‘s passwd program. A new PasswordService module makes secure password hash storage simpler and can be used directly in applications along with a PasswordMatcher module to perform comparisons.

Shiro filters can now be enabled or disabled without modifying the filter chain, which is useful in development to, for example, have SSL disabled but easily enabled in production. Finally, support modules for Apache’s OSGi runtime,Karaf, Google’sGuice DI framework and JASIG’s CASSSO service have been added. A full list of features added and issues resolved is available in therelease notes.

Apache Shiro is available to download and is licensed under the Apache Licence 2.0. The download page also includes instructions on how to install Shiro using Maven 2.